Nozomu Sasaki

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** The cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialize PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend, such as the file system or the `sys registry` database table, can inject a crafted serialized payload to trigger PHP Object Injection. This may allow the exploitation of a gadget chain to achieve Remote Code Execution. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.52 or later. Update to version 12.4.47 or later. Update to version 13.4.32 or later. Update to version 14.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** Mantis Bug Tracker (MantisBT) versions prior to 2.28.2 **Description** Flawed logic in the Update Issue page 'bug update page.php' causes improper escaping of textarea custom field contents. This allows an authenticated user with low-privilege bug report permissions to inject HTML and potentially execute arbitrary JavaScript if Content-Security Policy (CSP) settings permit. Such execution can lead to session theft, administrative account takeover, and unauthorized access to full project data. Exploitation requires a textarea-type custom field to be configured for the project and affects any user viewing the bug edit form, including administrators. **Recommendations** Update to version 2.28.2. Use the default Content-Security Policy to block script execution as a temporary workaround.